back to article Security MadLibs: Your IoT electrical outlet can now pwn your smart TV

A security vulnerability in "smart" power plugs can be exploited to infiltrate local computer networks. The flaw, spotted in Belkin's Wemo Insight smartplugs, would potentially allow an attacker to not only manipulate the plug itself, but also allow hopping to other devices connected to the same Wi-Fi home network. …

  1. FlamingDeath Bronze badge

    The S in IoT stands for security

    The Internet of Shit™ strikes again

    It seems no company is afraid of distributing shit and poorly tested code to their customers, be it Belkin, Samsung, Cisco, Draytek, my list could quite possibly be endless

    I bet their profits are looking great though, the CEO and shareholders enjoying huge payouts

    If only they invested more in testing and security, if only...

    Maybe a law is needed, am I being too preemptive here?

  2. Anonymous Coward
    Anonymous Coward

    Re: The S in IoT stands for security

    >> Maybe a law is needed

    The politicians are far too busy screwing up other things to worry about this.

  3. Someone Else Silver badge
    Alert

    @FlamingDeath -- Re: The S in IoT stands for security

    Maybe a law is needed, [...]

    Don't let the commentard with the provocative handle "thepenisyoulove" hear you say that...

  4. The Man Who Fell To Earth Silver badge
    FAIL

    Re: The S in IoT stands for security

    This is why if for some reason you have to have IoT devices around, you segregate them on a IoT-only VLAN that is behind a firewall and can only access the Internet. No "real computers" or peripherals on that VLAN. Better yet, if your router supports enough SSID's & VLANs, give each IoT device (or small groups of like-IoT devices) their own SSID & VLAN to use so they can't even see each other.

  5. John Sager

    Re: The S in IoT stands for security

    Well, you can do the VLAN/firewall stuff, and so can I and so can a lot of commentards on here. But Joe & Jane Public? It'll be a long time before manufacturers get around to plug & play VLAN/SSID/firewall configuration.

  6. Prst. V.Jeltz Silver badge

    Re: The S in IoT stands for security

    "IoT-only VLAN that is behind a firewall and can only access the Internet"

    How would that stop someone accessing your smart plug thing and turning off your granny iron lung?

  7. GnuTzu Bronze badge
    Trollface

    Re: The S in IoT stands for security

    Actually, the inevitability is that there will be disposable smart devices, which means our trash bins will be full of these things--many of which will be left on or unable to be turned off. So we really will have Internet of Trash. Also, we may well expect that someone will come up with smart decomposition trackers. And, what happens when the singularity happens and this stuff all becomes conscious. Then the Internet of Shit will really hit the Internet enabled smart fan.

  8. Robert Helpmann?? Silver badge
    Childcatcher

    Re: The S in IoT stands for security

    Well, you can do the VLAN/firewall stuff.... But Joe & Jane Public?

    This! This is the heart of the problem with IoT. If only there were an easy to set up and use management system to secure and control all a home's IoT crap... Wouldn't take much technical expertise with a touch of scare tactic marketing to get a business up and running.

  9. Roland6 Silver badge

    Re: The S in IoT stands for security

    >If only there were an easy to set up and use management system to secure and control all a home's IoT crap...

    Unfortunately, I think this will most probably be a case of dream on...

    Why?

    I remember the 1980's when practically the same problem faced networking, yes we came up with SNMP (and it's ISO OSI equivalent) and MIB, which very quickly transformed into MIB2 with lots of proprietary extensions...

  10. Fatman

    Re: The S in IoT stands for security

    $DEITY knows that I wish I could give you a lot more upvotes!!!

  11. Milton Silver badge

    "shouldn't be on … network in the first place"

    "… new way to break thing that shouldn't be on your home network in the first place"

    I guess we're all a leetle tired of saying that just because you can do something doesn't mean you should. Personally I thought that even non-technical consumers would have developed some healthy scepticism by now, rather than continuing to swallow the endless drivel spouted by marketurds. But the Internet of Shyte tide just keeps on coming in, bringing at best utterly pointless and at worst positively dangerous connectivity to a Useless Device Near You.

    But it's not only about personally inconveniencing twits with more money than sense, is it? It's potentially way bigger than that.

    Given the recent article about research into how abuse of connected devices could be used to bring down regional power grids, and the never-ending news about Russia's GRU hacking, invading and weaponising every damn thing in sight, you could be forgiven for wondering why western governments aren't taking control of this. If it was common knowledge that hostile Crotobaltislavonian intelligence was planting remote-controllable demolition charges around UK or US strategic infrastructure like power grids, water and gas pipelines, reservoirs, railways, motorway bridges ... why, there would be massive bloody uproar. If gullible consumers were buying those cute imported Crotobalti Slobberpups, unaware that, upon receiving a broadcast command in years to come, these seemingly inoffensive canines would tear their owners' throats out before causing mayhem on the streets, there would be swift and decisive action.

    Yet, as something very similar but intangible is happening right now in the field of internet technology, nothing effective is done at all.

    One of the few things worse than Brexit would be if Vlad The Emailer switched off Britain's lights for a week. The cost of the chaos is almost unimaginable. Is it a good idea to keep doing things that make this easier for him?

    Incomprehensible, to imbecile politicians.

  12. boltar Silver badge

    Re: "shouldn't be on … network in the first place"

    "One of the few things worse than Brexit would be if Vlad The Emailer switched off Britain's lights for a week."

    Since you're obviously a fan of the EU why not ask them why they haven't written up one of their famous directives to control this particular piece of tech.

    Or is it simply a case that almost all politicians are technical and scientific illterates who barely grasp the terminology , never mind the ideas and issues behind it. The fact that we keep electing people who, if they even have qualifications they're utterly useless for running a 21st century state. Perhaps a few more BSc's** and a few less MA's and MBA's in parliaments around the world might improve things immensely.

    ** Yes, Thatcher, but to be fair she was actually quite good when it came to supporting new tech industries back in the day.

  13. Roland6 Silver badge

    Re: "shouldn't be on … network in the first place"

    Coming at this from a slightly different angle...

    Just been reading/researching Cat6a and PoE and one article was about using Cat6e PoE for smart lighting systems. I can envision the logic that leads to the implementation convergence, so that things that shouldn't being on the data network, being put on the data network because it makes things so much easier...

  14. GSTZ

    Re: Hoping for help from politicians ...

    One of the important things that people need to learn is that you cannot fix fundamental technology problems just by issuing new laws, rules, certificates and other boring paperwork.

    So why should one ask politicians and civil servants who typically have rather limited insigth into the problems to produce even more laws and rules ? At best, that would lead to a false impression of improvements in security and also to more lenghty, pointless and expensive lawsuits.

    Help can only come from experts and a shift in paradigm - leaving behind that currently prevailing messy IT infrastructure which is pretty unreliable and vulnerable beyond repair, and coming up with something new that has been designed for reliability and security from day one.

  15. trydk

    Re: Hoping for help from politicians ...

    @ GSTZ: The technology sector as a whole (more or less) has shown that they cannot fathom that security should be more important than money, thus we need some appropriate paragraphs to push them in the right direction.

    A simple and rather non-intrusive law could state that the producer of a thingamading* is entirely responsible for the damage (direct and indirect as well as collateral) a hack causes in all aspects from money over property damage to reputation where applicable. Add some punitive damages to that, say 1% of worldwide yearly turnover (not profit as that can be fiddled with), and I think even the big multinationals would sit up and listen!

    * Yes, there are a few corner cases like software installed on a computer but I'm pretty sure that some nice people on here can sort that out othewise there'll be plenty of opportunity to downvote me.

  16. GSTZ

    Re: Hoping for help from politicians ...

    @ trydk: That call for stricter IT security laws sounds good, but won't help very much. Such legislation might cause tiny startups to improve their IoT product's password protection from "hilarious" or "none" to "very basic", but that does not solve the much wider and much older fundamental problems in IT security.

    We run IT infrastructure that is utterly vulnerable, offering myriads of holes making nasty attacks like WannaCry possible. When taken to court, Microsoft will certainly be able to prove that they are doing the best they can and are not neglecting their duties. In the WannaCry example, they had published a related Windows patch two month before the malware outbreak.

    Other cases are even more difficult, it will often be hard to determine who should be held responsible at all - like in the Heartbleed case, which was caused by a bug in Open Source code.

    Who is to blame for the fact that practically all of our IT gear is based on the vulnerable Von Neumann computer architecture ? In contrast, the Harvard architecture features solid seperation beween data and code, thus providing much better protection. But can vendors be sued for not investing many billions into something entirely different that would be extremely hard to bring to market ?

    Legislation can help to create awareness, as shown in the GDPR case (it will take some time until the positive effects will prevail over the initial difficulties). However, politicians and lawyers cannot fix fundamental shortcomings in technology.

  17. Doctor Syntax Silver badge

    No problem. Those are two of the many devices I wouldn't have been buying anyway.

  18. Prst. V.Jeltz Silver badge

    What the fuck is it

    I propose all reg articles titled "IOT device X is shit , pointless and insecure" should start with a paragraph explaining what it is and what possible benefit the manufactures are claiming it is to anyone.

    Other wise we're just left gussing why the fuck would anyone connect a X to the internet.

  19. Little Mouse

    "enabling the owner to ... turn the plugs on and off with a smartphone or PC"

    Shoot me now. Please, someone. Just end it before it gets any worse.

  20. Wellyboot Silver badge

    I forsee a new Darwin Award category - Fatalities resulting from interplay of IoT devices.

  21. Kernel Silver badge

    "Shoot me now. Please, someone. Just end it before it gets any worse."

    I see you suffer from a common internet problem - the assumption that because you have no use case for such a device nobody else can possibly have a valid reason for wanting one.

    Most of the use cases I've heard of for these involve controlling stuff from a little further away that the other side of the room - although personally I'd only ever connect one at home behind the VPN server.

  22. sweh

    It's Christmas!

    "Shoot me now. Please, someone. Just end it before it gets any worse."

    At Christmas time I plan on putting the tree lights on a smart switch and programming the echo so I can say "Alexa, it's Christmas!" and the tree lights will turn on and Slade will start playing.

    Now that's smart :-)

  23. Chronos Silver badge
    Mushroom

    Re: It's Christmas!

    Now that's smart :-)

    Not exactly the adjective I would have chosen. It does begin with "S," though.

    Perhaps tie it in with isitchristmas.com's public API? For the authentic feel, have it randomly turn the lights off until you fiddle with the fuse bulb...

  24. Phil O'Sophical Silver badge
    Happy

    Re: It's Christmas!

    so I can say "Alexa, it's Christmas!" and the tree lights will turn on and Slade will start playing.

    Interesting demographic niche there: old enough to like "Merry Christmas Everybody", young enough to think Alexa is a good idea.

  25. jake Silver badge

    Re: It's Christmas!

    A stopped clock is correct twice per day ;-)

  26. Flywheel Silver badge

    Re: It's Christmas!

    old enough to like "Merry Christmas Everybody"

    Nobody mentioned "like" - I'm old enough to remember that accursed ballad the first time round, but "like" is not a word I'd voluntarily use :)

  27. Rich 11 Silver badge

    Re: It's Christmas!

    I'm old enough to remember that accursed ballad the first time round

    Ditto. The novelty wore off the Christmas before my balls dropped.

  28. Prst. V.Jeltz Silver badge

    " although personally I'd only ever connect one at home behind the VPN server."

    and what would that do? it either isolates it so its no use to you , or its still insecure.

  29. Robert Helpmann?? Silver badge
    Joke

    Shoot me now. Please, someone.

    With my IoT wireless connected smart gun?

  30. sweh

    Re: It's Christmas!

    Interesting demographic niche there: old enough to like "Merry Christmas Everybody", young enough to think Alexa is a good idea.

    Or maybe old enough to be able to decide for themselves the pros and cons of Alexa and feel that the "fun" factor outweighs the minimal risk.

    https://www.sweharris.org/post/2017-01-02-always-listening/

    BTW, I'm 50 this year. Hardly a youngster.

  31. Wellyboot Silver badge
    WTF?

    Low Impact - Really?

    "A smart plug by itself has a low impact. An attacker could turn off the switch or at worst possibly overload the switch" !!!

    Overloading electrical devices rarely ends well.

  32. DougS Silver badge

    Re: Low Impact - Really?

    The only way you could possibly overload the switch is if you had plugged in more things than it can handle, assuming you'd never turn them all on at once.

    If you have multiple electric kettles on the same switch assuming "I'll never turn on more than one at once", and have old wiring so a breaker isn't going to trip and save you, I can't say I'm going to feel too sorry for you if your house burns down...

  33. This post has been deleted by its author

  34. John H Woods Silver badge

    Re: Low Impact - Really?

    "The only way you could possibly overload the switch is if you had plugged in more things than it can handle,"

    IANASparky but couldn't rapid switching of some devices also cause problems?

  35. Adrian 4 Silver badge

    Re: Low Impact - Really?

    Yes.

    But only if they're even more poorly designed than the leaky wifi power switch.

  36. Long John Brass Silver badge
    Flame

    Re: Low Impact - Really?

    Surge current is a thing. You may well damage the "smart" switch, the device that connected to it and possibly trip the breaker. Depending on the design I wouldn't put it past the "smart" switch to catch fire either :(

  37. Wellyboot Silver badge

    Re: Low Impact - Really?

    But only if they're even more poorly designed than the leaky wifi power switch.

    That's not a comforting thought when most modern consumer electrical stuff is designed down to a price. Sometimes I think CE rating just means 'don't run a bare wires outside the box'

  38. AS1

    Re: Low Impact - Really?

    "Sometimes I think CE rating just means 'don't run a bare wires outside the box'."

    Bob: We were going for an industrial design, inspired by the Lloyd's Building in London, with all the utilities on the outside.

    BOFH: Can we put you on the inside? In small chunks.

  39. Borg.King

    So long Grandma, thanks for all the fish

    1. Overload the switch.

    2. Trip the GFCI on the main distribution panel.

    3*. Powers down the automatic defibrillator, and the WiFi connected panic switch.

    4. Anyone want Grandmas cat?

    5. Donations to the RSPCA please.

    * At this point you could switch the movie script to mix alien and human DNA to create whomsowhatever.

  40. Adrian 4 Silver badge

    Re: So long Grandma, thanks for all the fish

    an .. automatic defibrillator ?

    That's an interesting idea. I think there's probably a law against it though. Internet-connected or not.

  41. Cuddles Silver badge

    Re: So long Grandma, thanks for all the fish

    "an .. automatic defibrillator ?

    That's an interesting idea. I think there's probably a law against it though. Internet-connected or not."

    Why would there be a law against them? They're common and very useful medical devices. Usually they're small implants, so unlikely to be affected by anyone messing around with "smart" house electrics, although I wouldn't be at all surprised if they're started connecting them to the internet with all the vulnerabilities that tends to bring.

    Aside from that, the big automated defibrillators are probably the most common form available, since they're usable by pretty much anyone without needing training. Again, they're generally self-contained units so wouldn't be affected by electrics, and in any case you only take them out and attach them to someone when actually needed. But they're very much a real thing, and making laws against them would be incredibly stupid.

  42. Alister Silver badge

    Re: So long Grandma, thanks for all the fish

    an .. automatic defibrillator ?

    That's an interesting idea. I think there's probably a law against it though.

    What a stupid comment!

    Nearly all defibrillators - even those used in hospitals or by paramedics, have software which automatically determines if the patient is in a shockable rhythm.

    Some, like the LifePak 20, which combine proper 12-lead ECG monitoring, are capable of being switched to manual mode, but they usually default to the AED setting.

  43. Mayday Silver badge
    Alert

    I have a "Smart TV"

    And guess what? The wireless in it is turned off and it has never had any passwords in it. Solves that problem.

    When I was shopping around all I wanted was a dumb panel but finding a 4k screen which is not "Smart" proved difficult.

  44. This post has been deleted by its author

  45. This post has been deleted by its author

  46. Sampler

    Re: I have a "Smart TV"

    I found a "dumb" version of the 4k smart tv I wanted right on the same website, in the same section, handily for sixty bucks less, seemed like a "no brainer" ; )

    TV doesn't have to have smarts, why build something in that a $30 dongle can do just as adequately and can be replaced/upgraded when the time comes rather than wiping out the whole set, never mind IoT paranoia (whether it's deserved or not).

  47. Anonymous Coward
    Anonymous Coward

    'Solves that problem'

    There's still a few non-Smart TV's around but they're harder to find...

    If we've learned anything about tech ethics, assumption is the mother of all fuckups. First up, no one has proven that certain brands of Smart-TV's don't probe nearby neighbor's Wi-Fi and then phone-home! Routers without passwords in apartment complexes are common, and even more common are unsecured tethered Wi-Fi connections from cell phones etc.

    Cases such as this have been documented as well. Take a busy family home where the neighbor's kid comes over one day and links your Smart-TV to their Wi-Fi router without permission / knowledge. You end up finding out 6 months later etc.

    This is such big business now, expect some micro-antenna comms between nearby Smart-TV's, or undocumented 4G-sim feature, or just some general inescapable embedded micro-network tech coming soon to a Smart TV near you (on sale).

    Don't think any of this is possible? Maybe you just haven't seen Vizio's ethics in action. Remember, if the GDPR / Cali fine is less than the profit, then it only makes good business sense to continue. Think chemical spill fine versus clean-up costs etc...

    ~~~~

    https://www.forbes.com/sites/bernardmarr/2017/02/08/shocking-smart-tv-manufacturer-vizio-spies-on-customers-using-advanced-big-data-analytics/2/

    https://adexchanger.com/digital-tv/vizios-data-business-back-updated-privacy-policy-expanded-partnership-ispot-tv/

  48. H in The Hague Silver badge

    Re: I have a "Smart TV"

    "I found a "dumb" version of the 4k smart tv I wanted"

    Could you let us know the make and model? There might be quite a few of us out here interested in something like that.

  49. Anonymous Coward
    Anonymous Coward

    Re: I have a "Smart TV"

    "I found a "dumb" version of the 4k smart tv I wanted right on the same website, in the same section, handily for sixty bucks less, seemed like a "no brainer" ; )"

    Lucky you. When I purchased my TV the total number of non-smart 4k TVs offered by Samsung, Panasonic, Sony, and LG (as in listed on their web site) was zero. Not one. I think the very basic HD models might possibly have been not smart, but they lacked features (sound/image quality) I wanted.

  50. onefang

    Re: I have a "Smart TV"

    "TV doesn't have to have smarts, why build something in that a $30 dongle can do just as adequately and can be replaced/upgraded when the time comes rather than wiping out the whole set,"

    So that when the time comes that it needs to be replaced/upgraded, they can sell you a new expensive smart TV, instead of only selling you a new cheap dongle.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018